A rather sizeable security loophole allows Android apps to access the photo libraries of users without permission and copy them to a remote server.
The flaw, first reported by the New York Times, follows revelations earlier this week that iPhone apps were also able to glean photos from the device if they are given access to location data.
According to the NYT, which had a developer built an app to exploit the flaw, the Android security inadequacy only requires the user to grant permission to access the internet.
Kevin Mahaffey, CTO of security software company Lookout says: “We can confirm that there is no special permission required for an app to read pictures. This is based on Lookout’s findings on all devices we’ve tested.”
Google is well aware of this
However, despite this rather startling revelation, not only is Google perfectly aware of this, but actually designed the Android operating system this way.
The company says it relates to offering users easier to access to their own images, but has now acknowledged it may now have to rethink this policy.
A company spokesman told the NYT in an emailed statement: “We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS.
“At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images.
“As phones and tablets have evolved to rely more on built-in, non-removable memory, we’re taking another look at this and considering adding a permission for apps to access images.
“We’ve always had policies in place to remove any apps on Android Market that improperly access your data.”
Like taking photos from a smartphone
The NYT asked developer Loupe to create an app which would expose the flaw.
The company was able to create software, masquerading as a simple timer, which could dip into the photo library upon start-up and post the most recent picture on a public sharing site.
It is unknown whether any apps that currently exist in the Android Market are indeed pilfering perhaps the most personal data of all.